Security enclave device to extend a virtual secure processing environment to a client device

ABSTRACT

Disclosed are methods and devices to provide a transaction over a network. In one embodiment, a machine-implemented method includes: opening, through an enclave device, an in-band channel or an out-of-band channel over the network; authenticating, through the enclave device, a user of a resource over the in-band channel or the out-of-band channel; facilitating, through the enclave device, an authorization of the user to access the resource over the in-band channel or the out-of-band channel; and accounting for a transaction conducted by the user accessing the resource, through the enclave device, over the in-band channel or the out-of-band channel.

CLAIM OF PRIORITY

This application is a non-provisional application claiming priority toco-pending U.S. non-provisional patent application Ser. No. 13/749,663titled: “SECURITY ENCLAVE DEVICE TO EXTEND A VIRTUAL SECURE PROCESSINGENVIRONMENT TO A CLIENT DEVICE,” filed on Jan. 24, 2013, which claimedpriority to U.S. provisional patent application Ser. No. 61/747,212titled: “SECURITY ENCLAVE DEVICE TO EXTEND A VIRTUAL SECURE PROCESSINGENVIRONMENT TO A CLIENT DEVICE,” filed on Dec. 29, 2012.

INCORPORATION BY REFERENCE

This application incorporates by reference U.S. patent application Ser.No. 13/726,491 titled: “METADATA-DRIVEN SWITCH NETWORK CONTROL,” filedon Dec. 24, 2012, in its entirety.

FIELD OF TECHNOLOGY

This disclosure relates generally to network security technology, in oneexample embodiment, to methods and apparatus to provide network securityto a client device through an enclave device.

BACKGROUND

Demand for a more secure network switching infrastructure has increasedwith the proliferation of mobile and/or untethered computing devices(such as supervisory control and data access (SCADA) systems, industrialcontrol systems, transportation systems, smartphones, tablet computers,set-top boxes, and hotspot devices). Applications and web browsersrunning on such devices and over such an infrastructure may besusceptible to attacks by malicious agents at a resource level, or at aresource flow level (such as eavesdropping, key loggers, worms, viruses,Trojan horses, or spoofing attacks). While security experts havedeveloped increasingly complex means of securing traffic flow (such asnetworking protocols, encryption tunnels, and key generation andauthentication systems), the challenge remains to secure a transactionfrom its origination on a client device to its destination behind aswitch, while enabling a non-repudiation of the transaction.

Solutions and software systems implementing a public key infrastructure(PKI) may rely on a transmission of a private key to secure transactionsin a network. These software systems may require physical access to acertificate authority to store public keys and issue digitalcertificates. However this physical access may not be suitable formobile devices on a wide area network (WAN). More problematic arenetwork security switches and routers that adopt a blacklist approach toprevent malicious agents from connecting to a network and compromisingthe security of the network. Such a blacklist may implement a draconianset of rules or regular expressions to locate and filter out malicioustraffic. To circumvent this, a malicious agent installed on an infectedclient device may simply change a single bit to evade the mostsophisticated traffic management and malware detection mechanism.

Some systems may implement a trusted platform module (TPM) to facilitatethe use of keys and the establishment of secure channels. However, thesesecure communications between devices may often be manipulated bymalicious agents to gain access or to set up tunnels to a backendenterprise. Furthermore, security protocols utilized by these systems,such as transport layer security (TLS), secure sockets layer (SSL), orinternet protocol security (IPsec), may not scale in network addresstranslation (NAT) networks where proxies and reverse proxies may need tobe set up to carry traffic on a mobile network. Furthermore, securityprotocols utilized by these systems may not be able to validate a useron a specific client device because the client device may not have beenissued an identity from a PKI due to complexities in enrollment andmaintenance of the identity. In that case, a malicious agent inpossession of a user's log on credentials may use the credentials toaccess any resource from any device regardless of other protectionsafforded by the device and the network. Also, a malicious agent havingremote control of a client device may be able to compromise theintegrity of the device and the network and perform malicious actionsthat may also compromise the ability to perform non-repudiation of atransaction in near real time.

SUMMARY

Disclosed are methods and apparatus to provide an end-to-end securetransaction over a software defined network (SDN). In one aspect, amachine-implemented method includes: opening, through an enclave device,an in-band virtual secure channel (VSC) or an out-of-band VSC over theSDN; authenticating, through the enclave device, a user of a resourceover the in-band VSC or the out-of-band VSC; facilitating, through theenclave device, an authorization of the user to access the resource overthe in-band VSC or the out-of-band VSC; and accounting for a transactionconducted by the user accessing the resource, through the enclavedevice, over the in-band VSC or the out-of-band VSC.

The in-band VSC may be opened over an in-band network and theout-of-band VSC may be opened over an out-of-band network using a useridentity, a client device identity, and/or a resource identitydistributed through a PKI. Additionally, the in-band network may be awireless network established over a licensed radio frequency band or awired network. Moreover, the out-of-band network may be a wirelessnetwork established over an unlicensed radio frequency band.

The method also includes authenticating the user of the resource througha multi-factor authentication mechanism using one or more readers of theenclave device. The multi-factor authentication mechanism may comprisetwo or more of a near-field communication (NFC) identificationmechanism, a biometric reader identification mechanism, a user name andpassword identification mechanism, a pattern matching identificationmechanism, a global positioning system (GPS) identification mechanism,or a radio-frequency identification (RFID) mechanism. In this case, theuser identity may be received through the in-band VSC or the out-of-bandVSC.

In this aspect, the method also involves facilitating, through theenclave device, the authorization of the user to access the resource by:generating a one-time encrypted software token (EST) through a trustedplatform module (TPM), sending a hash of the one-time EST through thein-band VSC or the out-of-band VSC to a switch managing the SDN, andauthorizing the user to access the resource based on a comparison of thehash of the one-time EST with a one-time EST independently generated bythe switch. In this aspect, the enclave device may comprise a battery, alow-power processor, an NFC chip, a plurality of readers, an interfaceto a client device used by the user to access the resource, and astorage device coupled to the low-power processor. Also in this aspect,the interface to the client device may be a physical interface thatcouples the enclave device to the client device through a physicalconnection. The interface to the client device may also be a radiointerface that couples the enclave device to the client device through aradio frequency connection.

In an alternative aspect, the enclave device may be an integratedcircuit chip embedded in a client device used by the user to access theresource. In another alternative aspect, the enclave device may be asoftware module running on a client device used by the user to accessthe resource.

In another aspect, an enclave device is disclosed to provide anend-to-end secure transaction over a SDN. The enclave device comprises:one or more low-power processors; one or more storage devicescommunicatively coupled to the one or more low-power processors; anumber of readers communicatively coupled to the one or more low-powerprocessors; an NFC chip communicatively coupled to the one or morelow-power processors; a battery; an interface to a client device; andone or more programs, where the one or more programs are stored in theone or more storage devices and executable by the one or more low-powerprocessors.

In this aspect, the one or more programs comprises instructions to openan in-band virtual VSC or an out-of-band VSC from the client device to aswitch managing the SDN, instructions to authenticate a user of aresource over the in-band VSC or the out-of-band VSC, instructions tofacilitate an authorization of the user to access the resource using theclient device over the in-band VSC or the out-of-band VSC, andinstructions to account for a transaction conducted by the user throughthe client device using the resource over the in-band VSC or theout-of-band VSC.

In this aspect, the in-band VSC may be opened over an in-band networkand the out-of-band VSC may be opened over an out-of-band network. Inparticular, the in-band network may be a wireless network establishedover a licensed radio frequency band or a wired network and theout-of-band network may be a wireless network established over anunlicensed radio frequency band. Either the in-band VSC or theout-of-band VSC may be opened at a resource level, a resource flowlevel, or a network level. Additionally, a virtual network may beestablished over the in-band VSC or the out-of-band VSC under thedirection of the switch managing the SDN.

The one or more programs may further comprise instructions toauthenticate the user through a multi-factor authentication mechanismusing one or more readers of the enclave device. In this aspect, themulti-factor authentication mechanism comprises two or more of an NFCidentification mechanism, a biometric reader identification mechanism, auser name and password identification mechanism, a pattern matchingidentification mechanism, a GPS identification mechanism, or an RFIDmechanism.

The one or more programs may also comprise instructions to facilitatethe authorization of the user to access the resource using the clientdevice with further instructions to: generate a one-time EST through aTPM of the enclave device, send a hash of the one-time EST through thein-band VSC or the out-of-band VSC to the switch, and authorize the userto access the resource based on a comparison of the hash of the one-timeEST with a one-time EST independently generated by the switch.

The interface to the client device may be a physical interface thatcouples the enclave device to the client device through a physicalconnection. Alternatively, the interface to the client device may be aradio interface that couples the enclave device to the client devicethrough a radio frequency connection.

In yet another aspect, disclosed is a storage medium readable through aprocessor, and including instructions embodied in the storage medium andconfigured to be executable through the processor, comprising:instructions to open an in-band VSC or an out-of-band VSC from a clientdevice to a switch managing an SDN; instructions to authenticate,through a reader communicatively coupled to the processor, a user of aresource over the in-band VSC or the out-of-band VSC; instructions tofacilitate an authorization of the user to access the resource over thein-band VSC or the out-of-band VSC; and instructions to account for atransaction conducted by the user using the resource over the in-bandVSC or the out-of-band VSC

In this aspect, the in-band VSC may be opened over an in-band networkand the out-of-band VSC may be opened over an out-of-band network. Inparticular, the in-band network may be a wireless network establishedover a licensed radio frequency band or a wired network and theout-of-band network may be a wireless network established over anunlicensed radio frequency band. Either the in-band VSC or theout-of-band VSC may be opened at a resource level, a resource flowlevel, or a network level. Additionally, a virtual network may beestablished over the in-band VSC or the out-of-band VSC under thedirection of the switch managing the SDN.

The storage medium may further comprise instructions to authenticate theuser through a multi-factor authentication mechanism using one or morereaders of the enclave device. In this aspect, the multi-factorauthentication mechanism comprises two or more of an NFC identificationmechanism, a biometric reader identification mechanism, a user name andpassword identification mechanism, a pattern matching identificationmechanism, a GPS identification mechanism, or an RFID mechanism.

Finally, the storage medium may also comprise instructions to facilitatethe authorization of the user to access the resource using the clientdevice with further instructions to: generate a one-time EST through aTPM of the enclave device, send a hash of the one-time EST through thein-band VSC or the out-of-band VSC to the switch, and authorize the userto access the resource based on a comparison of the hash of the one-timeEST with a one-time EST independently generated by the switch.

The methods and apparatus disclosed herein may be implemented in anymeans for achieving various aspects. Other features will be apparentfrom the accompanying drawings and from the detailed description thatfollows.

BRIEF DESCRIPTION OF THE DRAWINGS

Example embodiments are illustrated by way of example and are notlimited to the figures of the accompanying drawings, in which, likereferences indicate similar elements.

FIG. 1 illustrates an enclave device to provide an end-to-end securetransaction over a SDN, according to one or more embodiments.

FIGS. 2A-2D illustrate various embodiments of the enclave device FIG. 1,according to one or more embodiments.

FIG. 3 illustrates VSCs being opened over an out-of-band network and anin-band network using the enclave device of FIG. 1, according to one ormore embodiments.

FIG. 4 illustrates an enclave device accessing one or more resourcesover the VSCs, according to one or more embodiments

FIG. 5 illustrates a columnar process flow diagram of a user gainingaccess to a resource through the enclave device of FIG. 1, according toone or more embodiments.

FIG. 6 illustrates a flowchart diagram of authenticating a user throughthe enclave device of FIG. 1 and a switch managing the SDN, according toone or more embodiments.

FIG. 7 illustrates the enclave device of FIG. 1 facilitating theauthorization of a user, according to one or more embodiments.

Other features of the present embodiments will be apparent from theaccompanying drawings and from the detailed description that follows.

DETAILED DESCRIPTION

Disclosed are methods and apparatus to provide an end-to-end securetransaction over a software defined network (SDN). Although the presentembodiments have been described with reference to specific exampleembodiments, it will be evident that various modifications and changesmay be made to these embodiments without departing from the broaderspirit and scope of the various embodiments. It should be understood byone of ordinary skill in the art that the terms “application(s),”“program(s),” “software,” “software code,” “sub-program(s),”“module(s),” and “block(s)” are industry terms that refer to computinginstructions stored in a memory or storage device of a processing deviceand executable by a processor of the processing device.

Reference is now made to FIG. 1, which illustrates a block diagram of anenclave device 100 used to extend a virtual secure processingenvironment (VSPE) 106 to a client device 130 and to provide virtualnetworking and security functions to a user of the client device 130accessing a resource. The enclave device 100 also allows the clientdevice 130 to conduct an end-to-end secure transaction over an SDN. Inone or more embodiments, the enclave device 100 comprises a storagedevice 102, a low-power processor 114, a trusted platform module 116, akey store 118, an NFC chip 120, an interface to a client device 122,readers 124, a battery 126, and a wireless charging circuit 128. Allsuch components of the enclave device 100 are coupled to the low-powerprocessor 114 through high-speed buses indicated by double-arrowedlines. The low-power processor 114 may be a low-voltage microprocessorhaving two to four cores. The trust platform module 116 may beimplemented as a secure cryptoprocessor designed according to thespecifications of the Trusted Computing Group (seewww.trustedcomputinggroup.org). As depicted in FIG. 1, the trustedplatform module 116 may be coupled to a hardware-based key store 118 tostore keys distributed through a public key infrastructure (PKI).

The storage device 102 may comprise of programs or instructions 104 tomaintain a virtual secure processing environment 106. The VSPE 106 maycomprise a virtual secure network controller 108 and a virtual machine110. The virtual secure network controller 108 may open an in-band VSCor an out-of-band VSC (depicted here as VSC 112) over the SDN to aswitch managing the SDN (for example, the switch 304 in FIG. 3). Thevirtual machine 110 may further segregate the in-band VSC or theout-of-band VSC opened into one or more virtual networks or VLANs. Itshould be understood by one of ordinary skill in the art that theinstructions 104 of the storage device 102 may be executed by thelow-power processor 114 or another low-power processor embedded in theenclave device 100 and not shown in FIG. 1. Additionally, thelower-power processor 114 may execute instructions stored in a memory ofthe trust platform module 116 and may also execute instructions storedin a memory of one or more of the readers 124. The VSPE 106 mayautomatically enroll, maintain, and manage a user identity a deviceidentity, and a resource identity and their associated public andprivate keys distributed through a PKI and store such keys in the keystore 118 of the trusted platform module 116. The VSPE 106 may alsoallow a user, a client device, and/or a resource to interact with datastorage mechanisms, as well as VSC networking capabilities. This may beprovided through an API interface that may be integrated into anapplication layer program on the client device. The VSPE 106 may alsoprovide an API for an application layer program on the client device tointegrate with the readers 124, without gaining access to the datagathered by the readers 124. This prevents malware on the client devicefrom providing data to a threat agent. The VSPE 106 may also provide away for the operating system of the client device to monitor thekeyboard of the client device and ensure that a key logger is notrunning on the device by monitoring the VSC. The VSPE 106 may alsopermit profiling, integrity checking, and performance analysis of theclient device as well as sending any metrics to the switch managing theSDN. The VSPE 106 may send certain historical and near real-timeinformation regarding a user, a client device, a resource, an in-bandVSC, an out-of-band VSC to the switch managing the SDN. Such informationmay also include a flow information, which may comprise data packetsfrom a user, a device, an application, a tenant, and/or a VLANidentifier. Additionally, the VSPE 106 may account for a 5 tuple (srcIP, dst IP, src Port, dst Port, and/or protocol identifiers) informationregarding network address translation (NAT) addresses, a flow state, asequence number, a bandwidth low watermark, a bandwidth high watermark,a bandwidth current, a flow uptime, an L4 application protocol, and/oran L7 application protocol. Additionally, the VSPE 106 may account forinformation regarding a VSC such as the user identity, the deviceidentity, the resource identity used to open the VSC, and the type ofVSC opened (whether in-band or out-of-band). Furthermore, the VSPE 106may account for the processes, applications, and data accessed by aclient device and the configuration of the client device, including amanufacturer information, an operating system and applications installedon the client device, a serial number of the client device, the type ofmemory on the client device, and the version of the client device. Bytracking this level of data, it enables a near real time securityincident handling process where a network administrator can manage andmonitor all traffic per user, per device, and/or per resource.

The readers 124 may comprise of a biometric reader, a patternrecognition reader such as a quick-response (QR) code reader, a bar codereader, or a gesture reader, or a username and password reader. Suchreaders may be embedded hardware components in the enclave device 100.

Moreover, the low-power processor 114 may be coupled to the NFC chip120, which may be used by a user to provision the switch managing theSDN (for example, switch 304 of FIG. 3) or to perform other transactionsover a network requiring a non-repudiation of a transaction conducted bythe user. This may be in the form of an e-commerce transaction, afinancial transaction, and/or a file/data sharing between the user ofthe client device and a resource controlled by a switching managing theSDN. The NFC chip 120 may be any NFC tag operating on an ISM radio bandapproved by the NFC Forum and satisfying the requirements of ISO/IEC18000-3, ISO/IEC 14443, or JIS X 6319-4. Additionally, the wirelesscharging circuit 128 may be implemented as a wireless inductive chargerused to charge the battery 126.

Finally, the low-power processor 114 may be coupled to the interface tothe client device 122. The interface to the client device 122 allows theenclave device 100 to communicate with the client device 130 and toaccess one or more resources stored in the client device 130. This maybe a universal serial bus (USB), an Apple® 30 pin interface, or anApple® Lightning® interface.

Reference is now made to FIGS. 2A-2D, which illustrate variousembodiments of the enclave device 100 FIG. 1, according to one or moreembodiments. In one embodiment, the enclave device 100 may be physicalencasement of the client device 130. As depicted in FIG. 2A, the enclavedevice 100 may be a smartphone or mobile phone wrapper or a smartphoneor mobile phone case when the client device 130 is a smartphone ormobile phone. In this embodiment, the enclave device 100 may comprise aheat dissipating element 200. This may be implemented as a heat sink, acovered grille, or a mesh window that enables airflow, but that does notallow physical access to the enclave device 100's printed circuit board.This may be required when the enclave device 100 is a protective case toenable the client device 130 to dissipate heat, and prevent the clientdevice 130 from overheating. As shown in FIG. 2A, the interface to theclient device 122 may be a physical interface such as a connecting wireor dock connector comprising a power bus and a data bus. This may be auniversal serial bus (USB), an Apple® 30 pin interface, or an Apple®Lightning® interface.

In another embodiment, the enclave device 100 may be a smartphone ormobile phone wrapper, a smartphone or mobile phone case, or a wrapper atshort range (less than 1 meter) to the client device 130. In thisembodiment, the enclave device 100 may communicate with the clientdevice 130 through a radio interface. As depicted in FIG. 2B, both theenclave device 100 and the client device 130 may comprise an antenna toreceive and transmit RF signals 202 over an unlicensed RF band at shortrange. In one embodiment, the interface to the client device 122 may bethis antenna.

In yet another embodiment, the enclave device 100 may be an integratedcircuit (IC) chip 204 embedded in the client device 130. In thisembodiment, the storage device 102, the lower-power processor 114, thetrusted platform module 116, the key store 118, and the interface to theclient device 122 (see FIG. 1) would be integrated on this IC chip 204.The battery 126, the wireless charging circuit 128, the NFC chip 120,and the readers 124 may be components coupled to the client device 130or may be components already embedded in the client device 130. Thebattery 126 may also serve to charge the battery of the client device130.

Finally, in yet another embodiment, the enclave device 100 may be asoftware program 206 or software module running on the client device130. In this embodiment, only the instructions 104 for the virtualsecure processing environment 106 would be stored in a storage device ormemory of the client device 130. As such, the low-power processor 114,the trust platform module 116, the key store 118, the NFC chip 120, theinterface to the client device 122, the readers 124, the battery 126,and the wireless charging circuit 128 (see FIG. 1) may be componentscoupled to the client device 130 or may be components already embeddedin the client device 130.

Reference is now made to FIG. 3, which illustrates VSCs being openedover an out-of-band network 300 and an in-band network 302 using theenclave device 100 of FIG. 1, according to one or more embodiments. Asdepicted in FIG. 3, the enclave device 100 may open an in-band VSC 308over the in-band network 302. The in-band network 302 may be a wirelessnetwork established over a licensed RF band 312 or a wired network 314.In both cases, the in-band VSC 308 is established over an SDN managed bya switch 304. The in-band VSC 308 may be opened from the enclave device100 to the switch 304 and may be opened at a resource level, a resourceflow level, or a network level. In one embodiment, the switch 304 may bethe metadata-driven switch of U.S. patent application Ser. No.13/726,491. At a resource level, all traffic for a specific resource orapplication may be encapsulated in a single VSC irrespective of thenumber of unique flows generated for that resource. At a resource flowlevel, all traffic from a specific user, device, or resource may beencapsulated in multiple VSCs according to the unique flow of traffic.At a network level, traffic may be encapsulated according to specificsource and destination network addresses without regard to the resourceor the flows.

In the exemplary embodiment shown in FIG. 3, the switch 304 is connectedto an application server 304 comprising a resource 326. This resource326 may further comprise an application 328, a piece of data 330, ornetwork access 332 to the SDN or another network. In one embodiment, aresource residing on the client device 130 (such as resource 316)coupled to the enclave device 100 may be a presentation layer of anapplication residing on the application 324. For example, theapplication 318 may be a presentation layer of the application 328residing on the application server 324 behind the switch 304. In anotherembodiment, the resource 316 may reside exclusively on the client device130 and the enclave device 100 may prevent an unauthorized user fromobtaining access to the resource 316 by requiring the user pass anauthentication step involving one or more of the readers 124 of theenclave device.

Also shown in FIG. 3 is an out-of-band VSC 306 opened over anout-of-band network 300. In one embodiment, the out-of-band network is awireless network established over an unlicensed RF band 310 (e.g., anISM radio band). Similar to the in-band VSC 308, the out-of-band VSC 310may also be opened from the enclave device 100 to the switch 304 and maybe opened at a resource level, a resource flow level, or a networklevel. In one or more embodiments, the out-of-and VSC 306 may be usedprimarily to transmit EST from the enclave device 100 to the switch 304and back.

Reference is now made to FIG. 4, which illustrates an enclave deviceaccessing one or more resources over the VSCs, according to one or moreembodiments. The enclave devices depicted in FIG. 4 (for example,enclave device 408A to 408N) may each be the enclave device 100 of FIG.1 and multiple enclave devices (for example, enclave device 408A to408N) may connect to the switch 304 simultaneously.

It should be understood by one of ordinary skill in the art of networksecurity that a SDN refers to a network architecture where networktraffic is controlled using software without requiring the networkadministrator to have access to the network's hardware devices. A switchused to manage the SDN (such as switch 304) may decouple the control ofthe network, through a control plane (such as control plane 430) of theswitch, from the switching or forwarding of network traffic, through adata plane (such as data plane 438) of the switch. In one or moreembodiments, the switch 304 may be the metadata-driven switch of U.S.patent application Ser. No. 13/726,491.

In one embodiment, the enclave devices 408A to 408N may open one or morein-band VSCs or out-of-band VSCs (for example, VSC 428A to VSC 428N) tothe switch 304 over the SDN IP using an Internet Key Exchange (IKE orIKEv2) protocol and an Internet Protocol Security (IPsec) complying toRFC 6071. Once a VSC is established, all data packets transmittedthrough the VSC is encrypted and decrypted using mutual digitalsignatures. In one embodiment, the in-band and out-of-band VSC (forexample, VSC 428A to VSC 428N) may operate on an internet layer ofTCP/IP. In another embodiment, the enclave devices 408A to 408N may openone or more in-band VSCs or out-of-band VSCs (for example, VSC 428A toVSC 428N) over the SDN using a transport layer security (TLS) protocoloperating on an upper layer of TCP/IP complying to RFC 6176.

As depicted in FIG. 4, the switch 304 comprises a control plane 430 anda data plane 438. The control plane 430 further comprises a keymanagement database 432, an authentication database 434, and anaccounting database 436. While the VSCs and the network traffic carriedby the VSCs are forwarded through the data plane 438 of the switch, thecontrol plane 430 stores information transmitted through the VSCs andcontrols how network traffic is forwarded through the data plane 438.

In FIG. 4, VSC 428A to VSC 428N may refer to any number of VSCsestablished over the in-band network 302 or the out-of-band network 300.In one or more embodiments, an in-band VSC or an out-of-band VSC may beopened at a resource level, a resource flow level, or a network levelusing a user identity, a client device identity, or a resource identitydistributed through a public key infrastructure (PKI).

In the exemplary embodiment shown in FIG. 4, user 400A may be assigned auser identity 402A by a network administrator. The user identity 402Amay comprise a public key 404A and a private key 406A. The user identity402A may comprise of information known only to the user 400A, such as ausername or password, and may be used by a PKI to create the public key404A and the private key 406A. While a public key 404A can be sentthrough the one or more VSCs, the user 400A's private key 406A cannot beshared with anyone other than the user 400A.

In FIG. 4, the user 400A may use the enclave device 408A to open a VSC(for example, VSC 428A) to a resource 410A on the client device 407A. Inthis embodiment, the client device 407A may be the client device 130shown in FIGS. 1 and 2. This VSC (for example VSC 428A) may connect to aresource 440A behind the switch 304, which may be a server side resourcerequired by the user 400A to run the resource 410A. In this embodiment,the enclave device 408A is either the enclave device 100 shown in FIG.2C or the enclave device 100 shown in FIG. 2D. Also in this embodiment,the resource 410A may be a presentation layer application (for example,application 414A) of an application residing on an application serverbehind the switch 304 (for example, application 444A). Not shown in FIG.4 is an alternative embodiment where the enclave device 408A iscommunicatively coupled to a client device (such as the client device130) and the resource 410A is a resource resident on the client device.In this embodiment, the client device may be the client device 130 ofFIGS. 2A and 2B and the enclave device may be the enclave device 100 ofFIGS. 2A and 2B. In both embodiments, the user 400A must open the VSCthrough the virtual secure network controller 108 (see FIG. 1) of theenclave device. The same limitations apply to all other enclave devicesshown in FIG. 4.

In all embodiments, the enclave device 408A may be assigned an enclavedevice identity 416A comprising a public key 418A and a private key420A. The user identity 402A, and the enclave device identity 416A maybe stored in a trusted platform module of the enclave device 408A, whichis understood by one with ordinary skill in the art to mean acryptographic off load processor designed to store cryptographic keys ona network-enabled device. The enclave device identity 416A may compriseof information related to a manufacturer of the enclave device 408A, aserial number of the enclave device 408A, or a memory type installed onthe enclave device 408A used by a PKI to create the public key 418A andprivate key 420A.

In one or more embodiments, the client devices indicated in FIG. 4(client devices 407A to 407N) may refer to a network enabled processingdevice (e.g., SCADA, ICS, smartphone, mobile phone, tablet computer,laptop, computer, etc.). In another embodiment, the client devicesindicated in FIG. 4 (client devices 407A to 407N) may refer to a networkenabled apparatus (e.g., a network enabled security camera, networkenabled walkie-talkie, network enabled thermostat, etc.).

Moreover, the resource 410A may also be assigned a resource identity422A comprising a public key 424A and a private key 426A. In thisembodiment, a resource (such as resource 410A) may refer to a set ofdata, an application, or access to a network such as a wide area network(WAN) (e.g., the Internet) or an enterprise network or intranet. Asindicated above, while resource 410A may be stored in a memory of theclient device 407A, the resource 410A may also be an application layeror presentation layer of a resource residing on an application serverbehind the switch 304. For example, resource 440A may be the resourceultimately accessed by the user 400A when the user 400A inputs commandsinto the presentation layer of the resource (such as resource 410A).

As depicted in FIG. 4, VSC 428A may be an in-band VSC opened at anetwork level from the enclave device 408A through the in-band network302 and ending at the resource 440A. In this embodiment, the VSC 428Amay carry network traffic for various applications on the client device407A (e.g., email traffic, web browsing traffic, VoIP traffic, etc.). Inanother embodiment, the VSC 428N may be an out-of-band VSC opened at aresource level from resource 410N on the client device 407N through theout-of-band network 300 to resource 440N. The VSC 428N may carry networktraffic exclusively for the resource 410N (e.g., enterprise applicationtraffic). Data traffic through all such VSCs, including VSC 428A and VSC428N, may be forwarded or directed through the data plane 438 of theswitch 304. In another embodiment, the VSC may carry traffic at aresource flow level when the resource requires communication withmultiple destinations, such as a web browser.

In one embodiment, the VSCs 428A to 428N may be opened for apre-determined period of time. In another embodiment, the VSCs 428A to428N may be opened for as long as a resource is being used by the user400A. In a further embodiment, the VSCs 428A to 428N may close as soonas a malicious agent is detected on the SDN, or as soon as a transactionis completed to mitigate risk from a malicious agent.

Also depicted in FIG. 2 is the switch 304's control plane 430. Thecontrol plane 430 comprises the key management database 432, theauthentication database 434, and the accounting database 436. In oneembodiment, the key management database 432 may include a lightweightdirectory access protocol (LDAP) database storing information related toa user identity, an enclave device identity, or a resource identity. Thekey management database 432 may share information with theauthentication database 434 and the accounting database 436.

In addition to the aforementioned users, client devices, and resources,it should be understood by one of ordinary skill in the art of networksecurity that the switch 304 may accommodate any number of users(ranging from user 400A to user 400N), client devices (ranging fromclient device 407A to client device 407N), enclave devices (ranging fromenclave device 408A to enclave device 408N), and resources (ranging fromresource 410A to resource 410N) up to the switching capacity of the dataplane 438 of the switch 304. It should also be understood by one ofordinary skill in the art that the switch 304 may be connected to otherswitches on the SDN to form a switch system that may extend the switchcapability of the data plane 438.

Reference is now made to FIG. 5, which illustrates a columnar processflow diagram of the user 400A gaining access to a resource through theenclave device 100 of FIG. 1, according to one or more embodiments. Asdepicted in FIG. 5, operation 500 involves the user 500A requestingaccess to the resource. This may involve the user 400A tapping on adisplay screen of a client device used by the user 400A (such as clientdevice 130). The display screen may display a user interface of anapplication (such as the application 414A) resident on the client device130 or 407A. In one embodiment, the application may be the presentationlayer of an application resident on an application servercommunicatively coupled to the switch 304.

In response to the request of the user 400A, operation 502 involves theenclave device 100 opening an in-band VSC or an out-of-band VSC to theswitch 304 over the SDN. The VSC may be opened at a resource level, aresource flow level, and/or a network level for the sole purpose ofauthenticating and authorizing the user as required by the resource. Asindicated in FIG. 4, opening a VSC at a resource level (such as for onespecific software application) may involve transmitting all data packetsrelating to the resource from the client device 130 or 407A, through theenclave device 100, to the switch 304 or an application server coupledto the switch 304 (and vice versa). Once the in-band or out-of-band VSChas been opened, operation 504 may involve the switch 304 prompting theuser 400A to input a set of credentials into the enclave device 100. Theset of credentials may include a biometric data received from the user400A (wherein the biometric data may be obtained from a biometric readercoupled to the enclave device 100 or the client device 130), a user nameand password, and/or a pattern recognition data received from the user400A (wherein the pattern recognition data may be obtained from apattern recognition reader—such as a QR code reader, a gesture reader,or a bar code reader—coupled to the enclave device 100 or the clientdevice 130. Such credentials may be a part of a multi-factorauthentication mechanism where the user 400A may be authenticatedthrough any two of an NFC identification mechanism, a biometric readeridentification mechanism, a user name and password identificationpassword, a pattern matching identification mechanism, a GPSidentification mechanism, or an RFID mechanism.

Such identification data or credentials may be inputted through one ormore of the readers 124 of the enclave device 100. Once identificationdata or credentials have been obtained through two of the aforementionedmechanisms, the enclave device 100 may then work with the switch 304 toauthenticate the user 400A in operation 506. Operation 506 may involvethe switch 304 authenticating the user 400A through the VSC opened (forexample, VSC 428A). In this operation, the switch 304 may authenticatethe user 400A trying to access the resource by comparing a credential ora hash of the credential (see FIG. 6) against a stored credential in theauthentication database 434 of the control plane 430 of the switch 304.The stored credential may be a credential entered into theauthentication database 434 by a network administrator or may be acredential stored in the authentication database 434 after a previoustransaction to create, modify, or validate a user authentication data.This authentication may be done through either the in-band VSC or theout-of-band VSC opened (such as VSC 428A). In one embodiment, operation504 may be considered a sub-operation of 506 Operation 506 may alsoinvolve additional sub-operations which are illustrated in furtherdetail in FIG. 6. The VSC may then be immediately closed once theauthentication is complete.

Once authenticated, operation 508 may involve the enclave device 100sending a configuration data or a configuration setting through the NFCchip 120 embedded in the enclave device 100. Operation 510 may involvethe switch 304 receiving a configuration data from the enclave device100 through an NFC chip embedded in the switch 304. Operations 508 and510 allow the user 400A to provision the switch 304 by simply holdingthe enclave device 100 close to the switch 304.

Operation 512 may involve the enclave device 100 generating a one-timesoftware token (EST). At the same time that the enclave device 100 isgenerating the one-time EST, the switch 304 may independently generatean EST in operation 516. Operation 514 may involve the enclave device100 sending a hash of the generated one-time EST to the switch 304through the VSC 428A. In operation 518, programs in the control plane430 of the switch 304 may then analyze and compare the hash of thegenerated one-time EST received from the enclave device 100 against theEST independently generated by the switch 304.

Operation 520 may involve the switch 304 granting the user 400A accessto the resource based on a result of the comparison. Furthermore,operation 522 may involve the control plane 430 of the switch 304accounting, in near real time, for a transaction conducted by the user400A accessing the resource. Finally, operation 524 involves the switch304 accepting the configuration data received through the NFC chip 120,and provisioning the switch hardware and software. Operation 526involves the switch 304 issuing a health data through the enclave device100 (or another processing device) or through a display interface on theswitch 304.

In one or more embodiments, the user 400A may refer to a human useraccessing a resource on the client device 130 through the enclave device100. In other embodiments, the user 400A may refer to another clientdevice used by a human user to access the client device 130. Forexample, the user 400A may be a human user's home computer used by thehuman user to access a work laptop (which may be client device 130 inthis case), which may, in turn, be instructed by the home computer openan enterprise application on the work laptop to retrieve a resourcebehind the switch 304. The user 400A, in this case, would be the homecomputer rather than the human user. It may be beneficial to point outat this time that, unless otherwise indicated, all references to theclient device 130 may also refer to any of the client device 407A to407N.

Reference is now made to FIG. 6, which illustrates a flowchart diagramof authenticating a user through the enclave device 100 of FIG. 1 andthe switch 304, according to one or more embodiments. In particular,FIG. 6 depicts an in depth embodiment of operation 506 of FIG. 5.Operation 600 involves the enclave device 100 sending a hash of thecredentials of the user 400A from the enclave device 100. In operation602, the enclave device 100 may then record a near real-time location ofthe client device 130 (as provided by a GPS locator of the client device130) and a near real-time IP address of the client device 130.Additionally, the enclave device 100 may then begin to record a userbehavior of the user 400A and a list of all resources accessed by theuser 400A through the enclave device 100.

In operation 604, the switch 304 may query whether the hash of thecredentials received from the user 400A is valid. If the answer to thisquery is yes, the switch 304 may then proceed to operation 606. If theanswer to the query is no, the switch 304 may then deny the user 400Aaccess to the resource (e.g., resource 440A) by closing the VSC. Inoperation 606, the switch 304 may be prompted to check theauthentication policy. Moreover, in operation 608, the switch 304 may beprompted to also check the access policy which may contain specificrules such as user's role, time of day, or other relevant policy dataconcerning the resource in question. In operation 610, the switch 304may obtain a set of stored encrypted credentials for the resource andtransmit the credentials to the resource. This comprises a legacyusername and password specifically and only for that given resource,permitting the switch to provide single sign on (SSO) and a commoncredentialing system regardless of the number of disparate resources.Finally, in operation 612, the resource (for example resource 440A) maydecide whether the credentials for the resource are valid beforeauthenticating the user 400A. If the resource 440A determines that thecredentials for the resource are not valid, the resource 440A may denythe user 400A access to the resource.

As indicated above, in one embodiment, the resource 440A may reside onan application server communicatively coupled to the switch 304 or theresource 440A may reside on the switch 304. Moreover, the resource 440Amay have a presentation layer residing on the client device 130 (forexample, resource 410A) coupled to the enclave device 100 used by theuser 400A to access the resource behind the switch.

Reference is now made to FIG. 7, which illustrates the enclave device100 of FIG. 1 facilitating the authorization of an authenticated user,according to one or more embodiments. In one embodiment depicted in FIG.7, enclave device 100 may facilitate the authorization of a user (forexample, user 400A of FIG. 4) requesting access to a resource (such asresource 440A) by the switch 304. In one exemplary embodiment shown inFIG. 7, the enclave device 100 may facilitate the authorization bygenerating a one-time EST 700 based on a key agreement technique andusing information related to the user identity 402A, the enclave deviceidentity 416A, and/or the resource identity 422A. The enclave device 100may then send a hash of the generated one-time EST 704 over anout-of-band VSC, depicted in FIG. 7 as VSC 428A. It should be understoodby one of ordinary skill in the art of network security that the hash ofthe generated one-time EST 704 may be created by applying a hashingalgorithm to the generated one-time EST 700 such as SHA-256 (FIPS180-4).

Simultaneously, the control plane 430 of the switch 304 mayindependently generate an EST 702 based on a key agreement technique andalso using information related to the user identity 402A, the enclavedevice identity 416A, and/or the resource identity 422A. The useridentity 402A, the enclave device identity 416A, and/or the resourceidentity 422A may be received from the enclave device 100 when the VSCwas first opened. Once the EST has been independently generated by thecontrol plane 430 of the switch 304, the independently generated EST 702may be stored in the key management database 432 of the control plane430 of the switch 304. The hash of the one-time EST 704 may then be sentby the enclave device 100 to a hash comparison engine 706 on the controlplane 430 of the switch 304.

The hash comparison engine 706 may analyze and compare the hash of thegenerated EST 704 received from the enclave device 100 against theone-time EST 702 stored in the key management database 432. The dataplane 438 of the switch 304 may then grant the user (for example, theuser 400A) of the client device 130 coupled to the enclave device 100access to the resource 440A through the VSC 428A. In one embodiment, theresource 440A may comprise of an application residing on an applicationserver communicatively coupled to the switch 304.

One a user has been authenticated and authorized according to themethods described above and the transaction conducted by the user hasbeen accounted for in the accounting database 436, the switch 304 canensure a non-repudiation of the transaction to a third-party.

A number of embodiments have been described. Nevertheless, it will beunderstood that various modifications may be made without departing fromthe spirit and scope of the claimed invention. In addition, the logicflows depicted in the figures do not require the particular order shown,or sequential order, to achieve desirable results. In addition, othersteps may be provided, or steps may be eliminated, from the describedflows, and other components may be added to, or removed from, thedescribed systems. Accordingly, other embodiments are within the scopeof the following claims.

It may be appreciated that the various systems, methods, and apparatusdisclosed herein may be embodied in a machine-readable medium and/or amachine accessible medium compatible with a data processing system(e.g., a computer system), and/or may be performed in any order.

The structures and modules in the figures may be shown as distinct andcommunicating with only a few specific structures and not others. Thestructures may be merged with each other, may perform overlappingfunctions, and may communicate with other structures not shown to beconnected in the figures. Accordingly, the specification and/or drawingsmay be regarded in an illustrative rather than a restrictive sense.

The process flows and flow diagrams depicted in the figures do notrequire the particular order shown, or sequential order, to achievedesirable results. In addition, others may be provided, or steps may beeliminated from the described flows, and other components may be addedto or removed from the depictions.

What is claimed is:
 1. A machine-implemented method, comprising:opening, through an enclave device, an in-band channel or an out-of-bandchannel over a network; authenticating, through the enclave device, auser of a resource over the in-band channel or the out-of-band channel;facilitating, through the enclave device, an authorization of the userto access the resource over the in-band channel or the out-of-bandchannel; and accounting for a transaction conducted by the useraccessing the resource, through the enclave device, over the in-bandchannel or the out-of-band channel.
 2. The method of claim 1, wherein:the in-band channel is opened over an in-band network and theout-of-band channel is opened over an out-of-band network; the in-bandnetwork is at least one of a wireless network established over alicensed radio frequency band and a wired network; and the out-of-bandnetwork is a wireless network established over an unlicensed radiofrequency band.
 3. The method of claim 1, further comprising:authenticating the user of the resource through a multi-factorauthentication mechanism using at least one of a plurality of readers ofthe enclave device, wherein the multi-factor authentication mechanismcomprises at least two of a near-field communication (NFC)identification mechanism, a biometric reader identification mechanism, auser name and password identification mechanism, a pattern matchingidentification mechanism, a global positioning system (GPS)identification mechanism, and a radio-frequency identification (RFID)mechanism.
 4. The method of claim 1, further comprising: facilitating,through the enclave device, the authorization of the user to access theresource by: generating a one-time encrypted software token (EST)through a trusted platform module (TPM), sending a hash of the one-timeEST through at least one of the in-band channel and the out-of-bandchannel to a switch managing the network, and authorizing the user toaccess the resource based on a comparison of the hash of the one-timeEST with a one-time EST independently generated by the switch.
 5. Themethod of claim 1, wherein the enclave device comprises a battery, alow-power processor, an NFC chip, a plurality of readers, an interfaceto a client device used by the user to access the resource, and astorage device coupled to the low-power processor.
 6. The method ofclaim 5, wherein the interface to the client device is a physicalinterface that couples the enclave device to the client device through aphysical connection.
 7. The method of claim 5, wherein the interface tothe client device is a radio interface that couples the enclave deviceto the client device through a radio frequency connection.
 8. The methodof claim 1, wherein the enclave device is an integrated circuit chipembedded in a client device used by the user to access the resource. 9.The method of claim 1, wherein the enclave device is a software modulerunning on a client device used by the user to access the resource. 10.The method of claim 1, wherein at least one of the in-band channel andthe out-of-band channel is opened at one of a resource level, a resourceflow level, and a network level and a virtual network is establishedover at least one of the in-band channel and the out-of-band channel.11. An enclave device to provide a transaction over a network,comprising: one or more low-power processors; one or more storagedevices communicatively coupled to the one or more low-power processors;a plurality of readers communicatively coupled to the one or morelow-power processors; an NFC chip communicatively coupled to the one ormore low-power processors; a battery; an interface to a client device;and one or more programs, wherein the one or more programs are stored inthe one or more storage devices and executable by the one or morelow-power processors, the one or more programs comprising: instructionsto open an in-band channel or an out-of-band channel from the clientdevice to a switch managing a network, instructions to authenticate auser of a resource over the in-band channel or the out-of-band channel,instructions to facilitate an authorization of the user to access theresource using the client device over the in-band channel or theout-of-band channel, and instructions to account for a transactionconducted by the user through the client device using the resource overthe in-band channel or the out-of-band channel.
 12. The enclave deviceof claim 11, wherein: the in-band channel is opened over an in-bandnetwork and the out-of-band channel is opened over an out-of-bandnetwork; the in-band network is at least one of a wireless networkestablished over a licensed radio frequency band and a wired network;the out-of-band network is a wireless network established over anunlicensed radio frequency band; at least one of the in-band channel andthe out-of-band channel is opened at one of a resource level, a resourceflow level, and a network level; and a virtual network is establishedover at least one of the in-band channel and the out-of-band channel.13. The enclave device of claim 11, further comprising: instructions toauthenticate the user through a multi-factor authentication mechanismusing at least one of the plurality of readers of the enclave device,wherein the multi-factor authentication mechanism comprises at least twoof a near-field communication (NFC) identification mechanism, abiometric reader identification mechanism, a user name and passwordidentification mechanism, a pattern matching identification mechanism, aglobal positioning system (GPS) identification mechanism, and aradio-frequency identification (RFID) mechanism.
 14. The enclave deviceof claim 11, further comprising: instructions to facilitate theauthorization of the user to access the resource using the client devicewith further instructions to: generate a one-time encrypted softwaretoken (EST) through a trusted platform module (TPM), send a hash of theone-time EST through at least one of the in-band channel and theout-of-band channel to the switch, and authorize the user to access theresource based on a comparison of the hash of the one-time EST with aone-time EST independently generated by the switch.
 15. The enclavedevice of claim 11, wherein the interface to the client device is aphysical interface that couples the enclave device to the client devicethrough a physical connection.
 16. The enclave device of claim 11,wherein the interface to the client device is a radio interface thatcouples the enclave device to the client device through a radiofrequency connection.
 17. A storage medium, readable through aprocessor, and including instructions embodied therein and configured tobe executable through the processor, comprising: instructions to open anin-band channel or an out-of-band channel from a client device to aswitch managing a network; instructions to authenticate, through areader communicatively coupled to the processor, a user of a resourceover the in-band channel or the out-of-band channel; instructions tofacilitate an authorization of the user to access the resource over thein-band channel or the out-of-band channel; and instructions to accountfor a transaction conducted by the user using the resource over thein-band channel or the out-of-band channel.
 18. The storage medium ofclaim 17, wherein: the in-band channel is opened over an in-band networkand the out-of-band channel is opened over an out-of-band network; thein-band network is at least one of a wireless network established over alicensed radio frequency band and a wired network; the out-of-bandnetwork is a wireless network established over an unlicensed radiofrequency band; at least one of the in-band channel and the out-of-bandchannel is opened at one of a resource level, a resource flow level, anda network level; and a virtual network is established over at least oneof the in-band channel and the out-of-band channel.
 19. The storagemedium of claim 17, further comprising: instructions to authenticate theuser of the resource through a multi-factor authentication mechanismusing the reader, wherein the multi-factor authentication mechanismcomprises at least two of a near-field communication (NFC)identification mechanism, a biometric reader identification mechanism, auser name and password identification mechanism, a pattern matchingidentification mechanism, a global positioning system (GPS)identification mechanism, and a radio-frequency identification (RFID)mechanism.
 20. The storage medium of claim 17, further comprising:instructions to facilitate the authorization of the user to access theresource with further instructions to: generate a one-time encryptedsoftware token (EST) through a trusted platform module (TPM), send ahash of the one-time EST through at least one of the in-band channel andthe out-of-band channel to the switch, and authorize the user to accessthe resource based on a comparison of the hash of the one-time EST witha one-time EST independently generated by the switch.